Today, you almost can’t find any real-world application (web or mobile) that doesn’t use authentication. Companies believe that their applications must ensure that only certain people can use the features that they have built into them.
If you are a budding developer looking to implement authentication into your software system and don’t know how to get started, here is the article you have been waiting for.
INTRODUCTION TO AUTHENTICATION
Authentication is simply how a user proves they are who they say they are.
“Authentication is the process of verifying that an individual, entity, or application is who they claim to be.” - OWASP Authentication Cheatsheet
In the context of web applications, authentication is usually performed by submitting a username or email address and at least one item or piece of data that only a given user should know. The first means of identification, i.e., your username or email address, must be unique and case-insensitive. It can be publicly available, as in the case of Twitter, where you share your username as your handle for someone else to view your profile. The second means of identification could be anything ranging from a password to a magic link or soft token like an OTP, but it is secret information that only you are expected to know.
Applications use different combinations of factors to authenticate a user. These factors may include the following:
Credentials: tokens, usernames, email accounts, or passwords.
Device identifiers: cookies, long-lived application sessions, phone numbers, or multi-factor authentication.
Third-party libraries or services such as OAuth
Any form of authentication uses at least one of the following factors:
Something you know
Something you have
Something you are
In this article, we will focus on password authentication (something you know).
IMPORTANCE OF AUTHENTICATION
“Authenticating users is so important because it enables organizations to keep their network secure by permitting only authenticated users to access protected resources” – Tomorrow Office
Also note that without authentication, there will be no authorization built into the system. If there is no authorization, there will be no secure system (or application). Therefore, authentication forms the basis of security in every application.
SOME TYPES OF AUTHENTICATION YOU SHOULD KNOW
Usually, the most common type of authentication is password authentication, but this is not usually the only existing authentication method used or the only authentication factor employed. Web developers have recently adopted the use of SSO (more on this later) to help reduce users' friction during authentication.
Some of the common types of authentication include:
Password Authentication: This is the most popular authentication method you will see on the street of software development. Usually, this involves providing certain credentials like username, user ID, or email address and password. The username or email address is used to verify if there is an account that is available under that credential, while the password is used to verify if the user trying to access the account’s data is the owner of the account.
As good as this method might sound, it has so many flaws, especially since it is the oldest means of authentication. Since this article will dwell on this, we will come back to it.
Passwordless Authentication: This is an authentication method that doesn’t require a password. “How then is a user authenticated if no password is needed?”, you may be forced to ask. The primary motivation behind this mechanism is to eliminate the need for users to remember their passwords, hence making attacks like phishing useless.
Here you authenticate the user based on what they know and what they have. For example, the user provides the email address they used to register on your platform and then you send them a magic link or an OTP via email which they can use to verify their identity.
SSO (Single Sign-On) Authentication: This authentication method attempts to reduce user friction by reducing the number of passwords required to just one, which is the password required to log on to the SSO service. Once the user is authenticated by the SSO service, the service should ensure that the user is logged on to other websites and services using this one set of credentials provided.
Simply put, users only need to be authenticated once and this authentication can then be passed to every application by sending a digital authentication message to each application as needed.
Though this method prevents users from following bad security practices caused by the need to remember multiple passwords across several platforms or applications, it can be a single point of failure (SPOF) is compromised by an attacker, because the attacker can use this set of credentials to penetrate other platforms where the user is also authenticated.
Multi-factor Authentication: This is the process of verifying a person’s identity using more than one authentication factor. Every other authentication method involving just one authentication factor is called single-factor authentication.
Multi-factor authentication (also known as MFA) is a stronger type of authentication than single-factor authentication (also known as SFA) because it is much harder to fake more than one authentication factor.
An example of MFA is two-factor authentication (2FA) which is what MFA is called when two factors are used. The most common type of 2FA is “something you know” + “something you have”. For example, in a bank application, you usually send an OTP to either your email or phone number after entering your usual credentials such as phone number and password.
After getting the general concept of authentication out of the way, let us take a deeper dive into password authentication.
PASSWORD AUTHENTICATION: A DEEPER DIVE
Since passwords are so common, there are a lot of ways attackers have come up with to break them. In this article, we will discuss some of the most common attacks and the rules and recommendations for implementing secure passwords.
“What do attackers gain from attacking passwords?”
They can easily impersonate users and gain unauthorized access to further exploit the networks or servers on which the application is hosted. Also, they can steal the users’ data and sell their credentials online. They can access users’ financial details and steal money from them.
SOME PASSWORD ATTACKS YOU SHOULD KNOW
The password attacks that will be discussed in this article include:
Brute force
Offline cracking and rainbow tables
Phishing
BRUTE FORCE ATTACK
This is an attack in which multiple passwords or passphrases are entered into an application in the hope of correctly guessing the password of a user. This is tedious if done manually, but there are software programs that exist for this purpose. Hence, an attacker can try 3000 passwords in 1 minute, which means that in an hour, it is very possible for a user to correctly guess a user’s password (especially if the password is not strong enough).
“If brute force attacks can be accomplished by software, why are banks still using 4-digit pins?”
Banks use rate limiting to limit the number of login attempts, thereby preventing the attacker from trying thousands of passwords.
Also, setting password rules can ensure that users only use long and complex passwords that are not among the most commonly used passwords, thereby increasing the time it will take to brute force them exponentially.
OFFLINE CRACKING AND RAINBOW TABLES
Though preventing an attacker from downloading an application database is essential, an application should be designed in such a way that even if an attacker has access to the database, they cannot gain access to the passwords.
The basic strategy for preventing attackers from reading passwords from a database is to store hashed passwords in the database. Hashing a password is the process of passing a password through a function that converts the password into a shorter, fixed-length string that is in no way closer to the initial password.
Hashing the password alone won’t prevent all offline attacks. If the users use common passwords or reuse passwords across sites, the attacker can easily recognize the hashes using a rainbow table.
"A rainbow table is a precomputed table used to cache the output of cryptographic hash functions, typically for cracking password hashes," according to Wikipedia.
Salting can also be used to make rainbow attacks less effective. Salting is simply a technique used to protect passwords by adding strings of 32 or more characters to the end of the passwords before hashing them. This makes it difficult to reverse-engineer passwords and steal them from the database.
PHISHING
Phishing is a form of social engineering where attackers deceive people into revealing sensitive information that can then be used to gain access to their accounts on websites or gain entrance into their devices.
In simple words, phishing is the process of sending fake messages to try to steal someone’s credentials. This technique is used almost every day and can take different shapes. Since attackers can get users to believe that they are legitimate and authentic, they will readily give out sensitive information.
Phishing is something that websites cannot eliminate because it depends on the security awareness of the users, but it is possible to make it harder by:
Using HTTPS and a recognizable, valid domain name.
Always use the same domain for the service.
Use MFA.
BEST PRACTICES FOR PASSWORD VALIDATION
One of the courses I so much enjoyed last term was Mathematical Thinking. If you want to learn about my experiences with it, you can check out my previous articles. In that course, our midterm project was focused on analyzing and determining how good a password is using mathematics.
The project taught me that the greater the number of characters in a password, the more difficult it is for an attacker to brute-force it. But you have experienced how frustrating it is for you to remember your passwords when they are pretty long. This is why users find it much easier to use weaker (and easier-to-remember) passwords or one password across various websites.
When implementing password validation in your application, there are a few rules to keep in mind. These rules are given in the NIST password guidelines. They include:
Ensure passwords are at least 8 characters long for user-generated passwords and at least 6 characters for machine-generated passwords.
When creating passwords, ensure that passwords are not in previous password breaches (remember rainbow tables) and are not found in dictionaries.
Provide clear feedback about why passwords aren’t valid.
Make special characters rules optional.
Don’t allow password hints.
Enable copy/paste in your forms for a good user experience, especially for users using password managers.
CONCLUSION
Let us end this article here, friends! I believe that this article has achieved its purpose, and you can move on to implement password authentication in your applications.
Bottom line: Combining password authentication with another authentication factor will make it much harder for attackers to steal users’ credentials. But if your password authentication is not properly implemented and your users are not security conscious, your other authentication factor may not be effective!
Authentication and authorization were the two main focuses of Web Application Development (WAD) this week, and I enjoyed every bit of the learning process.
MORE RESOURCES, MY DEAR DEVELOPER
To learn more about authentication, here are some resources for your consumption: